Common Java Cookbook

Edition: 0.19

Download PDF or Read on Scribd

Download Examples (ZIP)

11.15. Accepting a Self-Signed Certificate

11.15.1. Problem

You need to work with a server that is using a self-signed certificate.

11.15.2. Solution

Provide a custom SSLProtocolSocketFactory that is configured to trust your self-signed certificate. A sample implementation of SSLProtocolSocketFactory named EasySSLProtocolSocketFactory is available via HttpClient's CVS repository, and the following example uses it to trust a self-signed certificate:

               import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpException;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.protocol.Protocol;
HttpClient client = new HttpClient( );
String url = "https://pericles.symbiont.net/jccook";
        
ProtocolSocketFactory socketFactory =
    new EasySSLProtocolSocketFactory( );
Protocol https = new Protocol( "https", socketFactory, 443);
Protocol.registerProtocol( "https", https );
        
HttpMethod method = new GetMethod( url );
client.executeMethod( method );
String response = method.getResponseBodyAsString( );
System.out.println( response );
method.releaseConnection( );
method.recycle( );

This executes and accepts the self-signed certificate from pericles.symbiont.net:

Word up, this page was served using SSL!

11.15.3. Discussion

EasySSLProtocolSocketFactory and EasyX509TrustManager can be obtained from HttpClient's CVS in the src/contrib directory. If you do not want to checkout the source code from CVS, you can also obtain these two classes from ViewCVS on cvs.apache.org. HttpClient's CVS repository can be accessed at http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/, and the two classes are in the src/contrib/org/apache/commons/httpclient/contrib/ssl directory. To use these classes, you must integrate them into your own project, customizing the behavior of these classes as you see fit.

EasySSLProtocolSocketFactory uses the EasyX509TrustManager to validate a certificate. To customize the criteria for certificate acceptance and alter the implementation of EasyX509TrustManager. For example, if you only want to accept a certificate from a specific hostname, change the implementation of the isServerTrusted() method in EasyX509TrustManager.

11.15.4. See Also

In the same package as EasySSLProtocolSocketFactory and EasyX509TrustManager is an implementation of SSLProtocolSocketFactory named StrictSSLProtocolSocketFactory, which makes sure that the hostname of the SSL server matches the hostname of the SSL certificate. For more information, go to HttpClient's CVS repository (http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/) and download StrictSSLProtocolSocketFactory from this src/contrib/org/apache/commons/httpclient/contrib/ssl directory.


Creative Commons License
Common Java Cookbook by Tim O'Brien is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Permissions beyond the scope of this license may be available at http://www.discursive.com/books/cjcook/reference/jakartackbk-PREFACE-1.html. Copyright 2009. Common Java Cookbook Chunked HTML Output. Some Rights Reserved.